Vulnerability Name:

CVE-2017-17664 (CCN-136304)

Assigned:2017-12-13
Published:2017-12-13
Updated:2018-01-02
Summary:A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-17664

Source: CCN
Type: Asterisk Project Security Advisory
AST-2017-012

Source: MISC
Type: Vendor Advisory
http://downloads.digium.com/pub/security/AST-2017-012.html

Source: CCN
Type: Asterisk Project Security Advisory - AST-2017-012
Remote Crash Vulnerability in RTCP Stack

Source: BID
Type: Third Party Advisory, VDB Entry
102201

Source: CCN
Type: BID-102201
Asterisk CVE-2017-17664 Remote Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1040009

Source: XF
Type: UNKNOWN
asterisk-cve201717664-dos(136304)

Source: MISC
Type: Issue Tracking, Patch, Vendor Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27382

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27429

Source: DEBIAN
Type: Third Party Advisory
DSA-4076

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-17664

Vulnerable Configuration:Configuration 1:
  • cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.18.4)
  • OR cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 14.0.0 and < 14.7.4)
  • OR cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 15.0.0 and < 15.1.4)

    • Configuration 2:
  • cpe:/a:digium:certified_asterisk:*:*:*:*:*:*:*:* (Version <= 13.13)
  • OR cpe:/a:digium:certified_asterisk:13.13:cert1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert1_rc1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert1_rc2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert1_rc3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert1_rc4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert5:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert6:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert7:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:13.13:cert8:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.xenial:def:2017176640000000
    V
    		CVE-2017-17664 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-12-13
    oval:com.ubuntu.artful:def:201717664000
    V
    		CVE-2017-17664 on Ubuntu 17.10 (artful) - untriaged.
    2017-12-13
    oval:com.ubuntu.xenial:def:201717664000
    V
    		CVE-2017-17664 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2017-12-13
    oval:com.ubuntu.disco:def:2017176640000000
    V
    		CVE-2017-17664 on Ubuntu 19.04 (disco) - medium.
    2017-12-13
    oval:com.ubuntu.bionic:def:201717664000
    V
    		CVE-2017-17664 on Ubuntu 18.04 LTS (bionic) - untriaged.
    2017-12-13
    oval:com.ubuntu.cosmic:def:2017176640000000
    V
    		CVE-2017-17664 on Ubuntu 18.10 (cosmic) - medium.
    2017-12-13
    oval:com.ubuntu.cosmic:def:201717664000
    V
    		CVE-2017-17664 on Ubuntu 18.10 (cosmic) - untriaged.
    2017-12-13
    oval:com.ubuntu.bionic:def:2017176640000000
    V
    		CVE-2017-17664 on Ubuntu 18.04 LTS (bionic) - medium.
    2017-12-13
    oval:com.ubuntu.trusty:def:201717664000
    V
    		CVE-2017-17664 on Ubuntu 14.04 LTS (trusty) - untriaged.
    2017-12-13
    BACK
    digium asterisk *
    digium asterisk *
    digium asterisk *
    digium certified asterisk *
    digium certified asterisk 13.13 cert1
    digium certified asterisk 13.13 cert1_rc1
    digium certified asterisk 13.13 cert1_rc2
    digium certified asterisk 13.13 cert1_rc3
    digium certified asterisk 13.13 cert1_rc4
    digium certified asterisk 13.13 cert2
    digium certified asterisk 13.13 cert3
    digium certified asterisk 13.13 cert4
    digium certified asterisk 13.13 cert5
    digium certified asterisk 13.13 cert6
    digium certified asterisk 13.13 cert7
    digium certified asterisk 13.13 cert8